MANDIANT 



Doug Wilson 

Principal Consultant 
MANDIANT 

douglas.wilson@mandiant.com 



LEARNING BY BREAKING 

A NEW PROJECT FOR INSECURE WEB APPS 



ShmooCon 
February 5 th , 2010 



I)IKIQ|)I I 



About . . . 

■ Doug Wilson 

- IT geek and "security guy" since 1999 

- Co-Chair OWASP DC, organizer CapSec DC 

- Organizer AppSecDC 2009 (and 2010?) 



ANDIANT 

- Incident Response and Forensics 

- Proactive, Research, and Training 

- Commercial and Federal Services 
Product - Mandiant Intelligent Response 
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OWASP 

■^ Open Web Application Security Project 



- OWASP Top Ten 

- ESAPI / ESAPI WAF / AntiSamy 

- OpenSAMM/ASVS 

Dev / Testing / Code Review Guides 

- XSS / SQLi / CSRF Cheat Sheets 



http://www.owasp.org 
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So you want to learn about 
Web Application Security? 



Not everyone starts out L33T 

Most don't start out in Web App Sec 

Learn best by doing 

There should be stuff in the intarwebs 
Right? 

Well . . . 
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Existing Options 

■ Let's assume you are not a "Black Hat" 

■ RealApps 

Some obvious problems here 

■ Training Apps 

- OWASP: WebGoat, Vicnum, etc 

- Damn Vulnerable Web App, Mutillidae, 
Badstore 

Similar Projects 

- Moth by Bonsai - mainly focused on w3af 
Matt Johansen - WebGoat/mutillidae/DVWA 
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Similar Problems Exist 



If you want to test scanners 

If you want to test code review tools 

If you want to test WAFs 



If you want to have a testbed, it's a lot of 
sysadmin work. 
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How to Solve Several Problems? 



We were looking for web applications with 
vulnerabilities where we could test: 

- Manual Attack Techniques 

- Scanners 

- Source Code Analysis 

And 

- Look at the "Bad Code" 

- Modify/Fix Code 

- Examine evidence left by attacks 
"•"--* ---■- application firewalls/ IDS systems 
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Solution? OWASP BWA 

■ Assemble a set of broken, open source 
applications 

■ Figure out all the configuration headaches 

■ Put them all on a Virtual Machine 

■ Donate it to OWASP 

■ Step Five: Profit? 
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Base Software 

■ Based on Ubuntu Linux Server 9.10 

- No X-Windows or GUI 
Apache 

- PHP 

- Perl 
MySQL 

- PostgreSQL 

- Tomcat 
Open JDK 
Mono 
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Management Software 

■ OpenSSH 

■ Samba 

■ phpMyAdmin 

■ Subversion Client 
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Intentionally Broken Apps (v 0.9) 

■ OWASP WebGoat version 5.3 (Java) 
OWASP Vicnum version 1 .3 (Perl) 

■ Mutillidae version 1 .3 (PHP) 

■ Damn Vulnerable Web Application version 
1.06 (PHP) 

■ OWASP CSRFGuard Test Application 
version 2.2 (Java) 
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Intentionally Broken Apps (v 0.9) 

■ Mandiant Struts Forms (Java/Struts) 

- Simple ASP.NET Forms (ASP.NET/C#) 

■ Simple Form with DOM Cross Site 
Scripting (HTML/JavaScript) 



More identified and planned for 1 .0 
release 

LOOKING FOR DONATIONS! 
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Old Versions of Real Apps (v 0.9) 

■ phpBB 2.0.0 (PHP, released April 4, 2002) 

WordPress 2.0.0 (PHP, released 
December 31, 2005) 

■ Yazd version 1 .0 (Java, released February 
20, 2002) 



More identified and planned for 1 .0 
release 

LOOKING FOR IDEAS! 
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Challenges 

■ Organization and Roadmap 

■ Finding more apps 

■ Documentation and Education 

■ Making this a cohesive tool, rather than 
just a collection 

- Documenting Vulnerabilities 

- Gathering Evidence 

■ Different levels of logging 

Integration w/ WAFs, mod_security, ESAPI WAF, 
PHP-IDS 
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The Future 

- GET PEOPLE INVOLVED! 

■ Update project for collaboration 

- Figure out how to distribute tasks 
Create and maintain documentation 
Push content to Google Code 

■ Incorporate additional broken apps 

- The larger, the better 

- Would like more real / realistic applications 
Adobe Flash / Drupal / Ruby on Rails 
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More Information and Downloads 

■ More information can be found at 
http://owaspbwa.org or on Google Code. 

■ Google Group available for support / 
discussion 

■ Version 0.9 released at AppSecDC 

- Mostly functional, just fewer applications than 
we would like 

■ Couple bugs (that we know of) 

Version 1 .0 will be released later in 2010 
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We welcome any help, broken 
applications, and feedback you 

can provide! 



owaspbwa.org 
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Questions? 



owaspbwa.org / owasp.org 



OWASP DC / CapSec DC 



AppSecDC . . . Maybe again in 2010? 





mandiant.com 
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